Make links https only (#9)

Add url validators with strict schemes parameter, update model definition, migrations, tests
Alschn · Nov 28, 2023 · dd75732 · dd75732
1 parent 597fe34
commit dd75732
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/links/migrations/0001_initial.py b/links/migrations/0001_initial.py
@@ -2,8 +2,8 @@
 
 from django.conf import settings
 from django.db import migrations, models
-import django.db.models.deletion
 import django.utils.timezone
+import django.core.validators
 
 
 class Migration(migrations.Migration):
@@ -22,7 +22,7 @@ class Migration(migrations.Migration):
                 ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                 ('title', models.CharField(max_length=127)),
                 ('description', models.TextField(blank=True, default='', max_length=1000)),
-                ('url', models.URLField()),
+                ('url', models.URLField(validators=[django.core.validators.URLValidator(schemes=('https',))])),
                 ('source_type', models.CharField(choices=[('YT', 'YouTube'), ('SP', 'Spotify'), ('UN', 'Unknown')], max_length=2)),
                 ('created_at', models.DateTimeField(auto_now_add=True)),
                 ('updated_at', models.DateTimeField(auto_now=True)),

diff --git a/links/models/link.py b/links/models/link.py
@@ -1,16 +1,21 @@
+from django.core import validators
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 
 class Link(models.Model):
+    ALLOWED_SCHEMES = ('https',)
+
     class SourceType(models.TextChoices):
         YOUTUBE = 'YT', _('YouTube')
         SPOTIFY = 'SP', _('Spotify')
         UNKNOWN = 'UN', _('Unknown')
 
     title = models.CharField(max_length=127)
     description = models.TextField(max_length=1000, blank=True, default='')
-    url = models.URLField()
+    url = models.URLField(
+        validators=[validators.URLValidator(schemes=ALLOWED_SCHEMES)],
+    )
     source_type = models.CharField(choices=SourceType.choices, max_length=2)
     user = models.ForeignKey(
         'accounts.User',

diff --git a/links/serializers/link.py b/links/serializers/link.py
@@ -1,6 +1,7 @@
 from urllib.parse import urlparse
 
 from django.contrib.auth import get_user_model
+from django.core import validators
 from django.db import transaction
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
@@ -52,6 +53,7 @@ class Meta:
             'updated_at',
         )
         extra_kwargs = {
+            'url': {'validators': [validators.URLValidator(schemes=Link.ALLOWED_SCHEMES)]},
             'source_type': {'read_only': True, 'required': False},
             'user': {'read_only': True, 'required': False},
             'track': {'read_only': True, 'required': False},
@@ -91,6 +93,9 @@ class LinkCreateResultSerializer(LinkCreateSerializer):
     # do not use elsewhere
     task_id = serializers.CharField(read_only=True)
 
+    class Meta(LinkCreateSerializer.Meta):
+        fields = LinkCreateSerializer.Meta.fields + ('task_id',)
+
 
 def get_source_type_from_url(url: str) -> Link.SourceType:
     parsed = urlparse(url)

diff --git a/links/tests/test_links_views.py b/links/tests/test_links_views.py
@@ -1,5 +1,7 @@
 from unittest.mock import patch
 
+from django.core.exceptions import ValidationError
+from django.core.validators import URLValidator
 from django.test import TestCase, override_settings
 from rest_framework import status
 from rest_framework.reverse import reverse_lazy
@@ -155,3 +157,23 @@ def test_create_link_link_request_does_not_belong_to_user(self):
         )
         self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
         self.assertIn('link_request', response.json())
+
+    def test_create_link_http(self):
+        link_request = LinkRequestFactory(user=self.user)
+        url = 'http://localhost:8000'
+
+        validator = URLValidator(schemes=Link.ALLOWED_SCHEMES)
+        with self.assertRaises(ValidationError):
+            validator(url)
+
+        self.client.force_login(self.user)
+        response = self.client.post(
+            self.links_list_url,
+            data={
+                'link_request': link_request.id,
+                'title': 'HTTP link test',
+                'url': url
+            },
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn('url', response.json())